CVE-2023-49448

JFinalCMS v5.0.0 suffers from a Cross-Site Request Forgery (CSRF) vulnerability in the navigation management functionality. The flaw exists in the /admin/nav/delete endpoint, which performs deletion operations without implementing CSRF tokens or other anti-forgery protections [1][2]. An attacker can craft a malicious HTML page that automatically submits a POST request to delete a navigation item, leveraging the authenticated session of an unaware administrator.

To exploit this vulnerability, the attacker must trick an authenticated administrator into visiting a crafted webpage or clicking a malicious link. The attack requires no special privileges beyond the administrator's existing session, and the request is automatically executed if the victim is logged in to JFinalCMS. The provided proof-of-concept demonstrates a simple form submission that deletes a navigation entry with a given ID [2].

Successful exploitation allows an attacker to delete arbitrary navigation items defined in the CMS, potentially disrupting site structure and functionality. Since delete operations are performed without user confirmation, an attacker could silently remove critical navigation links. This could lead to denial of service or defacement of the admin interface.

As of publication, no official patch has been released for JFinalCMS v5.0.0, and the software may be end-of-life. Administrators are advised to implement additional CSRF protections, such as using anti-CSRF tokens or validating the origin header for sensitive actions. Alternatively, restricting access to the admin panel via network controls can reduce exposure [1].